The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Browsers are powerful computer programs that may request and execute instructions received from a web server to generate complex user interfaces that are presented to a user through one or more devices, such as a monitor or speakers. In response to input from a user indicating that the user selected an object defined in the instructions, a browser may send a request based on the selected object to the web server. The request may be a request for data or include data to be processed by the web server. For example, a browser may present a web page from a web server that defines a form, a user may enter data into one or more fields in the form, select a submit button. In response the browser may generate request that includes the data entered into the one or more fields, and send the request to the web server.
Attackers may use software, often referred to as a “bot” or “headless browser”, which imitates a browser and a user by receiving instructions from a web server and autonomously generating requests based on those instructions. For example, a bot may receive a web page, gather data in one or more objects defined in the web page, and generate a request for another web page to gather additional data, as if a user using a browser was requesting a new web page. Also for example, a bot may generate and send a request with data assigned to one or more parameters that correspond to fields in a web page to simulate a user submitting data to a web server through a browser.
Attackers may use bots to commit many types of unauthorized acts, crimes or computer fraud, such as web site or content scraping, ratings manipulation, fake account creation, reserving rival goods attacks, credential stuffing attacks, password snooping, vulnerability assessments, brute force attacks, click fraud, DDoS attacks, bidding wars, and system fingerprinting attacks. As a specific example, a malicious user may cause a bot to traverse through pages of a web site and collect private or proprietary data, such as emails of all employees or prices of competitive products.
Web server administrators may wish to prevent malicious users from attacking the site, while allowing legitimate users to use the site as intended. However, determining which requests are generated by a legitimate user using a web browser and a malicious user using a bot may be difficult.